AnyConnect certificate

Similar Messages

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• AnyConnect certificate expiration prompt

  Does anyone use the feature where AnyConnect will notify the user when their certificate is expiring with X days?  The Admin guide for anyconnect 2.5 says it's supported but we have not been able to get it to work.  I have tried every version from 2.5.2014 to 2.5.3055 without any luck.  I then tried 3.0.4235 and it worked.  Is there anything special that needs to be done with anyconnect 2.5 or is this a known bug?

  Hi,
  I went Transaction RZ20 -> SAP CCMS Technical Expert Monitors -> System / All Monitoring Segments / All Monitoring Contexts -> hostname where java is running,but i am not getting services -->keystore.
  how I can add this.I want alert for abap certificate.
  Also suggest to configure these alerts:
  1.sld start stop
  2.rfc connection
  3.Idocs queue stuck
  4.system start stop
  Thanks,
  Prabhat misra

• Anyconnect certificate password issue

  I have VPN access setup on a Small Business RVS4000 and can connect computers to it just fine using QuickVPN.
  I have Anyconnect installed on an Android device and when I try to import the certificate I generated from the RVS4000, a password prompt pops up. 
  I never specified a password for this certificate.  Is there a default one I can use?  I've tried the user passwords, admin password for the router, admin, password, and even 1234.
  The certificate is a .pem file.

  I was looking around and found an internal defect that you cannot see so I am going to paste the inside content for your reference:
  AnyConnect does not allow import of PKCS12 bundles with blank passwords
  Symptom:
  When importing a certificate bundle with a blank password, AnyConnect will indefinitely prompt for the password as if the password was incorrect.
  Conditions:
  The certificate bundle must have a blank password.
  Workaround:
  Set a password on the bundle when exporting or creating it, and use that password when importing the bundle into AnyConnect.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• How to configure AnyConnect/ASA/Certificate/MS CA together

  Hello
  We are looking to apply mobile device management utilizing some third-party cloud solution. Mostly iPad users will connect to our internal network using AnyConnect thru ASA. Third party MDM will be used to control and provision ipads and i need to provide solution for AnyConnect VPN.
  Looking for some guidance, docs, examples, white paper that will provide info how to configure the following:
  users will connect to ASA VPN using AnyConnect; certificate issued by internal Microsoft CA and unique to each user will be used for authenticate the user. ACS will communicate with Microsoft AD to check if the user is valid AD user. Once authentication is done, user will have access to internal network.
  I am struggling to get all those peace of puzzle togehter so i can work on solution.
  I would appreciate if someone will give me some ideas how this whole scenario will work.
  Thank you.

  Anyone from experts out there? I am sure someone heave doen this before.

• Certificate Validity Message

  Hi,
  I'm facing with an error while Anyconnect is trying to connect, showing a message about certificate validity (As is attached to this post), but it connects successfully.
  I guess something is wrong with the cert I'm using (Its essential cert).
  Cert Info :
  Type : General
  Usage : general purpose
  Valid To: 30 Dec 2014
  best Regards
  Ali

  Please review the following document:
      AnyConnect Certificate Based Authentication
  Your error is due to lack of proper USER certificate - not server (ASA) certificate. You need to either issue and install a proper user certificate on your client PC or setup the Connection Profile to not use certificate authentication (see step 6 in the linked document).

• LDAP vs local login for remote access

  Hi Team,
  I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
  I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.

  Hello Manoj,
  IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
  Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
  Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
  If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
  AnyConnect Certificate Based Authentication.
  Why to use AD:
  Pros
  Scalable.
  Easy to manage.
  Allows password-management.
  Cons:
  Expensive (not open AD solution).
  HTH.
  Please rate helpful posts.

• Advantages of Using Secure Connect in Cisco Jabber Version 9.0

  Hello,
  About a month ago we deployed Jabber for iPhone.   For VPN we used Cisco AnyConnect,certificate authentication and VPN on demand.   We used our MDM to deploy the certificates and AnyConnect configuration.    So far everything is working as designed.  Now with the release of version 9, Secure Connect is an option and I was wondering what are the advantages of using Secure Connect? 
  Thanks

  Hi Manrico,
  Are the all the systems using the same firewall policy. It could be one of the rules configured in the SEP client. What build version are you running? Are all systems using the same version of VPN client? As Parminder stated, you should disable the firewall and check behavior.
  If the firewall is found to be the cause, you can troubleshoot by adding an "Allow All" rule to the top of the SEP policy. Moving the rule down one line at a time until the problem occurs again. Once that happens, you will have narrowed it down to the rule just above.
  Let us know how it goes for you.
  Best,
  Thomas

• No available encryption algorithms in my ASA

  Hi all,
  I have a cisco asa 5510 running ver 8.02, when i navigate to "remote access vpn-> advanced->ssl settings" i could not see any available algorithms under encryption section. How can i add the encryption algorithm in? I need the encryption algorithm as i want to enable ssl authentication using cert on my asa interface. Pls advise. Thk you.

  Hi Don,
  What exactly are you looking for?
  The ASA base license does allow two simultaneous SSL sessions and you do not need any extra license to achieve certificate authentication.
  In order to allow certificate authentication per connection profile:
  Please check this document for further reference:
  AnyConnect Certificate Based Authentication.
  HTH.
  Portu.
  Please rate any helpful posts

• AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!

  Hi guys,
  Is there a way to disable the warning generated from using self signed certs?
  I would like to make the process as seamless as possible.
  AnyConnect 3.1
  ASA 8.4(2)
  Thanks.

  Hi,
  We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
  We were instructed to request a new one
  Also here is the link to Cisco site we were provided that explains the changes in 3.1
  IPSec and SSL connections require server  certificates to contain Key Usage attributes of Digital Signature and  Key Encipherment, as well as an Enhanced Key Usage attribute of Server  Authentication or IKE Intermediate. Note that IPSec server certificates  not containing a Key Usage are considered invalid for all Key Usages,  and similarly an IPSec server certificate not containing an Enhanced Key  Usage is considered invalid for all Enhanced Key Usages.
  Link to document
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
  Sadly I dont dable with certificates myself so I'm not really familiar with this.
  - Jouni

• Anyconnect VPN via IPSec - Certificate issue

  Hi,
  I'm currently setting up a VPN-firewall and ran into problems with the certificates. I only want to enable IPSec connections via Anyconnect to the firewall. The client and the profile will be rolled out manually, so there is no need for anything web-based (portal, web-installer, SSL, etc.).
  The VPN-firewall is reached through the normal outside-firewall (NAT) via FQDN (vpn.abc.com).
  The normal setup is finished, but I have problems regarding the certificate. First I generated a CSR with "cn=fw001.abc.com", installed, bound to interface - but when I try to connect, I get the certificate error ("cert doesn't match server name" and "ca not trusted"). Then I tried a new CSR with "cn=vpn.abc.com", but it's still the same. Tomorrow I will try to get the CA-certificate to get rid of the "ca not trusted" message, but this one with the server name will still remain.
  I mean, the connection works, but it's this popup-window with the certificate warning that bothers me.
  I already had a similar configuration on another site, but there I had a wildcard certificate (*.xyz.com), which I installed as identity certificate and it worked properly.
  Questions:
  1.) Does anybody know what could be the issue here?
  2.) Do I need a certificate on the outside firewall? 
  Thanks in advance!

  Thanks for the response.
  First of all I need to state once again that I get 2 warnings:
  1.) Certificate does not match the server name.
  2.) Certificate is from an untrusted source.
  I know the procedure regarding certificates, I generated a request and got the proper signed licence, but the issue is the "server name not matching"-message. I created the CSR with the CN=vpn.abc.com, and got it signed with this CN. In the connection profile, the tunnel destination is also set to the domain and not the IP:
  "<HostAddress>vpn.abc.com</HostAddress>"
  But nevertheless, I get the message that the certificate doesn't match the server name. 
  I'm aware that the CA must be trusted on the PC, but this explains only the second message (untrusted) and not the mismatching name.
  Like I said I also tried it with CN=hostname.abc.com and sent the CSR to the signing, but it was the same issue. What name must I use so that the first message isn't showing up? 

• Anyconnect VPN Certificate-matching not working

  Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
  Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
  For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
  The client-profile looks like this:
  <CertificateMatch>
              <KeyUsage>
                  <MatchKey>Key_Encipherment</MatchKey>
                  <MatchKey>Digital_Signature</MatchKey>
              </KeyUsage>
              <ExtendedKeyUsage>
                  <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
              </ExtendedKeyUsage>
              <DistinguishedName>
                  <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
                      <Name>CN</Name>
                      <Pattern>masin2</Pattern>
                  </DistinguishedNameDefinition>
              </DistinguishedName>
          </CertificateMatch>
  Any suggestions/ideas? thanks for any input,
  heiki.

  enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
  I have also tried with and without different keyusage and extendedkeyusage- no difference.
  The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
  I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.

• Anyconnect VPN - Expired certificate causing Java error

  Hello,
  Since April 4th 2015 Java has been blocking the process of installing AnyConnect via web-deployment (see attached screenshot). It indicates there is an expired certificate with these details:
  Issuer CN=VeriSign Class 3 Code Signing 2010 CA,
  OU=Terms of use at https://www.verisign.com/rpa (c)10,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc.",
  C=US
  Validity [From: Wed Jan 02 19:00:00 EST 2013,
  To: Sat Apr 04 19:59:59 EDT 2015] <-----------------------------
  Subject CN="Cisco Systems, Inc.", <-----------------------------
  OU=Digital ID Class 3 - Microsoft Software Validation v2,
  O="Cisco Systems, Inc.",
  L=Boxborough,
  ST=Massachusetts,
  C=US
  This certificate is not seen when entering 'show crypto ca cert' on the ASA -- it is NOT our certificate, as it is issued to "Cisco Systems, Inc", and it has clearly expired.
  We are running the ASA software 9.1.6 and this behavior happens (at least) with the three latest versions of Java.
  Is anyone else having this issue? Is there anything that can be done (server-side) to resolve this?
  Thanks in advance...

  I think it is possible to use same digital certificate. You can specify whether you want users to authenticate using AAA with a username and password or using a digital certificate (or both). When you configure certificate-only authentication, users can connect with digital certificate and are not required to provide a user ID and password.

• ASA self-signed certificate for Anyconnect 3.1, which attributes?

  Hi everybody,
  I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1
  I have added two servers in the client connection profile:
  IP address, primary protocol IPsec
  IP address/non-default port number, primary protocol SSL
  Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)
  Connecting via SSL issues an additional warning "Certificate does not match the server name".
  The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.
  I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.

  Shamelessly bumping this question,
  Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?
  I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server.

• Cisco anyconnect 3.1 - Certificate Validation Failure.

  When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication".
  Prior to the test;
       On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA).
            * ASA identity certificate's have EKU attribute = Server Authentication,   Key Usage = Digital Signature, Key Encipherment.
       On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA)
            * Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC.
            * User Certificate's has EKU attribute = Client Authentication.
  As in the ASDM Logs, it almost work.
  In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect;
  Is there anyone could help.???
  Keshara from Sri Lanka.

  Just run into this as well. We have CRL checking turned on. Turned out to be the CRL server was down. But that was the same message I got when the client wouldn't connect.